Hi, there were some discussions in January regarding recommendations for browser-based apps ( https://www.ietf.org/mail-archive/web/oauth/current/msg16874.html).
I'd just like to ask if the Authorization Code Flow with PKCE is a valid option for Single-Page-Applications (in our case Angular), because Implicit Flow cannot be used in our scenario. Authorization Code Flow with PKCE eliminates the necessity for client secrets, but our concern is that exposing the refresh token to the SPA might be a security risk, compared to the Implicit Flow were no refresh token is exposed. What's your take on this? Kind regards, Stefan Büringer P.S. I couldn't find that much on the internet regarding Authorization Code Flow with PKCE in SPAs, if you have some recommendations for good blog posts I would be grateful.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
